-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* tinkering with GHAS alert-related APIs * working on basic scripts to pull security alerts
- Loading branch information
1 parent
dee90c5
commit 707ec0f
Showing
11 changed files
with
841 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,74 @@ | ||
|
|
||
| # This workflow is designed to run on demand only. | ||
| # See the repos API for more information: https://docs.github.com/en/rest/repos/repos?apiVersion=2022-11-28 | ||
| # A repository secret named GH_PAT is required to run this workflow. It must have the "security_events" read permission. | ||
| # If any check fails, the workflow will exit with a non-zero status. | ||
| name: "Check Security Features" | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
|
|
||
| jobs: | ||
| check: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Check Dependabot | ||
| id: check_dependabot | ||
| run: | | ||
| echo "Checking if Dependabot is enabled..." | ||
| DEPENDABOT=$(curl -s -H "Authorization: Bearer ${{ secrets.GH_PAT }}" https://api.github.com/repos/${{ github.repository }}/dependabot/alerts) | ||
| echo "Dependabot response: $DEPENDABOT" | ||
| if [[ -z "$DEPENDABOT" ]] || [[ "$DEPENDABOT" == "null" ]]; then | ||
| echo "Dependabot is not enabled" | ||
| exit 1 | ||
| else | ||
| echo "Dependabot is enabled" | ||
| fi | ||
| - name: Check Secret Scanning | ||
| id: check_secret_scanning_features | ||
| run: | | ||
| echo "Checking if Secret Scanning is enabled..." | ||
| REPO_SETTINGS=$(curl -s -L -H "Accept: application/vnd.github+json" -H "Authorization: Bearer ${{ secrets.GH_PAT }}" -H "X-GitHub-Api-Version: 2022-11-28" https://api.github.com/repos/${{ github.repository }}) | ||
| SECRET_SCANNING=$(echo "$REPO_SETTINGS" | jq -r '.security_and_analysis.secret_scanning.status') | ||
| SECRET_SCANNING_PUSH_PROTECTION=$(echo "$REPO_SETTINGS" | jq -r '.security_and_analysis.secret_scanning_push_protection.status') | ||
| echo "Secret Scanning status: $SECRET_SCANNING" | ||
| echo "Secret Scanning Push Protection status: $SECRET_SCANNING_PUSH_PROTECTION" | ||
| if [[ "$SECRET_SCANNING" != "enabled" ]]; then | ||
| echo "Secret Scanning is not enabled" | ||
| exit 1 | ||
| fi | ||
| if [[ "$SECRET_SCANNING_PUSH_PROTECTION" != "enabled" ]]; then | ||
| echo "Secret Scanning Push Protection is not enabled" | ||
| exit 1 | ||
| fi | ||
| - name: Check Code Scanning Analyses | ||
| id: check_code_scanning_analyses | ||
| run: | | ||
| echo "Checking if Code Scanning Analyses are present..." | ||
| CODE_SCANNING_ANALYSES=$(curl -s -L -H "Accept: application/vnd.github.v3+json" -H "Authorization: Bearer ${{ secrets.GH_PAT }}" https://api.github.com/repos/${{ github.repository }}/code-scanning/analyses) | ||
| TOOLS=$(echo "$CODE_SCANNING_ANALYSES" | jq -r '[.[] | .tool.name] | unique') | ||
| echo "Tools: $TOOLS" | ||
| if [[ "$TOOLS" == "[]" ]] || [[ "$TOOLS" == "null" ]]; then | ||
| echo "No tools found in Code Scanning Analyses" | ||
| exit 1 | ||
| else | ||
| echo "Tools found in Code Scanning Analyses" | ||
| fi | ||
| - name: Final Report | ||
| run: | | ||
| if [[ "${{ steps.check_dependabot.outcome }}" == "failure" ]]; then | ||
| echo "Dependabot check failed" | ||
| fi | ||
| if [[ "${{ steps.check_secret_scanning_features.outcome }}" == "failure" ]]; then | ||
| echo "Security features check failed" | ||
| fi | ||
| if [[ "${{ steps.check_code_scanning_analyses.outcome }}" == "failure" ]]; then | ||
| echo "Code Scanning Analyses check failed" | ||
| fi | ||
| if [[ "${{ steps.check_dependabot.outcome }}" == "success" ]] && [[ "${{ steps.check_secret_scanning_features.outcome }}" == "success" ]] && [[ "${{ steps.check_code_scanning_analyses.outcome }}" == "success" ]]; then | ||
| echo "All checks passed. Good job!" | ||
| fi | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file added
BIN
+150 KB
...tegrating_GitHub_Advanced_Security_with_third_party_reporting_and_analytics_platforms.pdf
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,80 @@ | ||
| ghsa_id,cve_id,url,html_url,summary,description,severity,author,publisher,state,created_at,updated_at,published_at | ||
| GHSA-897j-wghw-fjcx,CVE-2021-44228,https://api.github.com/repos/austimkelly/swiss-cheese/security-advisories/GHSA-897j-wghw-fjcx,https://github.com/austimkelly/swiss-cheese/security/advisories/GHSA-897j-wghw-fjcx,Supply Chain Advisory: log4j (Demonstration Purposes Only),"### Impact | ||
| _What kind of vulnerability is it? Who is impacted?_ | ||
|
|
||
| log4j dependency is out of date. See also GitHub advisory: https://github.com/advisories/GHSA-v57x-gxfj-484q | ||
|
|
||
| ### Patches | ||
| _Has the problem been patched? What versions should users upgrade to?_ | ||
|
|
||
| Per the CVE (https://nvd.nist.gov/vuln/detail/CVE-2021-44228), clients should update to 2.17.1 of the log4j dependency immediately. There has been multiple incomplete fixes. See https://github.com/advisories/GHSA-v57x-gxfj-484q for details on the various patch attempts | ||
|
|
||
| ### Workarounds | ||
| _Is there a way for users to fix or remediate the vulnerability without upgrading?_ | ||
|
|
||
| Disabling lookups via Environment Variable | ||
| Setting the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS=true . | ||
| This option is the easiest to apply for containerized environments. | ||
|
|
||
| Disabling lookups in log4j2 configuration | ||
| Another good option since there is no need to replace JARs or no need to modify logging configuration file, users who cannot upgrade to 2.17.0 can mitigate the exposure by: | ||
|
|
||
| Users of Log4j 2.10 or greater may add -Dlog4j2.formatMsgNoLookups=true as a command line option or add -Dlog4j2.formatMsgNoLookups=true in a log4j2.component.properties file on the classpath to prevent lookups in log event messages. | ||
| Users since Log4j 2.7 may specify %m{nolookups} in the PatternLayout configuration to prevent lookups in log event messages. | ||
| As an example; users deploying Hazelcast Management Center via helm charts can do the following to disable lookups and restart in one command: | ||
|
|
||
| helm upgrade <release-name> hazelcast/hazelcast --set mancenter.javaOpts=""<javaOpts> -Dlog4j2.formatMsgNoLookups=true"" | ||
|
|
||
| Where is the release name and is existing java options user has added previously. | ||
|
|
||
| Removing the JndiLookup from classpath | ||
| Remove the JndiLookup and JndiManager classes from the log4j-core jar. Note that removal of the JndiManager will cause the JndiContextSelector and JMSAppender to no longer function. | ||
|
|
||
| ### References | ||
| _Are there any links users can visit to find out more?_ | ||
|
|
||
| Please see Dependabot PRs: | ||
|
|
||
| * https://github.com/austimkelly/swiss-cheese/pull/17 | ||
|
|
||
| Associated Dependabot alerts for this PR can be found in: https://github.com/austimkelly/swiss-cheese/security/dependabot?q=is%3Aopen+log4j | ||
| ",critical,austimkelly,austimkelly,published,2024-01-10T18:22:00Z,2024-01-10T18:24:31Z,2024-01-10T18:24:31Z | ||
| GHSA-x2j5-6fv4-fxc2,CVE-2023-26492,https://api.github.com/repos/austimkelly/swiss-cheese/security-advisories/GHSA-x2j5-6fv4-fxc2,https://github.com/austimkelly/swiss-cheese/security/advisories/GHSA-x2j5-6fv4-fxc2,SSRF found in ssrf.py (This is just a demo of a security advisory),"## Summary | ||
|
|
||
| This is only a demo for an advisory. This uses existing CVE and CWE Ids to avoid requesting a CVE from GitHub. | ||
|
|
||
| ### References | ||
|
|
||
| * https://github.com/advisories - Github Security Advisory Database | ||
| * https://docs.github.com/en/code-security/security-advisories - Working with Security Advisories | ||
|
|
||
| ### Impact | ||
| _What kind of vulnerability is it? Who is impacted?_ | ||
|
|
||
| SSRF vulnerability detected in python source code. | ||
|
|
||
| ## Source Reference | ||
|
|
||
| https://github.com/austimkelly/swiss-cheese/blob/main/ssrf/ssrf.py#L10 | ||
|
|
||
| We also have a code scanning reference here: https://github.com/austimkelly/swiss-cheese/security/code-scanning/4 | ||
|
|
||
| ## Reproducible | ||
|
|
||
| 1. In `/ssrf` run `python3 ssrf.py` | ||
| 2. Run http://127.0.0.1:5000/follow?url=https://api.github.com/events in your browser. | ||
| 3. If the `url` parameter is executed, fail. | ||
|
|
||
| ### Patches | ||
| _Has the problem been patched? What versions should users upgrade to?_ | ||
|
|
||
| A code update has not yet been provided. | ||
|
|
||
| ### Workarounds | ||
| _Is there a way for users to fix or remediate the vulnerability without upgrading?_ | ||
|
|
||
| At this point there does not appear to be a mitigation without fixing and deploying the offending code | ||
|
|
||
| ### References | ||
| _Are there any links users can visit to find out more?_ | ||
| ",high,austimkelly,austimkelly,published,2024-01-10T13:59:24Z,2024-01-10T14:53:21Z,2024-01-10T14:53:21Z |
Oops, something went wrong.